Hi list, I am using rsyslog to forward logs between KVM guest and host machines during the Fedora installation program (aka Anaconda).
Details are described here: https://fedoraproject.org/wiki/Anaconda/Logging#Remote_logging_via_virtio, but in the gist: recent QEMU/KVM has a feature using which one can write to a character device on the guest end and read those data from a unix socket on the host end. We are tying to use this facility to forward the installation logs to the host. Two rsyslogd instances are involved in the process: the sending one on the guest end and the receiving one on the host end (which parses the incoming messages' headers and files the messages into different files). Unfortunately I've run into a couple of issues trying to set up the forwarding using this mechanism: 1) KVM opens a SOCK_STREAM on the host end but rsyslogd is only able to read data from SOCK_DGRAM. This has two consequences: first, to be able to attach rsyslog on the host end one first needs to copy the data between the two socket types, e.g. using socat. Second, messages longer than 1024 characters are sometimes split into two. The second message is thus missing the syslog header and the receiving rsyslogd doesn't know where to file it. Is there a recommended workaround for those things (maybe a parameter I overlooked in the docs tellling rsyslogd to use SOCK_STREAM)? 2) I seem to be unable to get the forwarding template right. For network forwarding (which is also supported in Anaconda), simply putting no explicit formatting does the trick: *.* @@ some.host The received logs can be matched for anything: severity, facility, hostname and programname. This is not the case when logs are forwarded through the character device: *.* /dev/virtio_ports/port_name Using the implicit formatting the receiving syslog won't parse the programname. I tried using the predefined ForwardFormat but then the receiving rsyslogd parsed hostname as the programname and the programname remains part of the final message. Is that the expected behavior? What worked for me in the end was creating a template based on the ForwardFormat but with the %HOSTNAME% part omitted: I can live with that for know since I know the message came from a certain socket so it can be only one host. Still: it seems weird there's no forwarding format provided that would retain 100% of the information parsable by another rsyslog reading from a socket. I'm probably just missing something? Thanks for any reply about this. Ales Kozumplik _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
